|
|
It's the end of our calendar year again, time to review the last twelve editions of the newsletter to summarize
the year and make some bold predictions. In doing this I came across the December 2001 edition and read the editorial,
I've copied parts of it below, it's an interesting read when you look back over the last twelve months in the IT
Security industry and strangely refreshing to look back in this fast moving forward looking industry.
--
Having just attended the annual AVAR Conference and spent a lot of time listening
and talking to many people in the industry I think it's safe to say that we'll see more of the same types of threats.
This means many more Win32 worms and viruses using traditional virus like techniques integrated with vulnerability
exploits and DoS 'features'.
There may well be a rapid adoption of wireless networking and if there is we will see vulnerabilities exposed and
exploited. I'll repeat what I've said many times, that is if you want to use wireless, run a VPN (Virtual Private
Network) over it to secure the data or use applications that have data encryption build in.
One other prediction I have is that Microsoft will, by the end of the year, have made substantial moves towards
securing many of their operating systems and software application platforms. Products like Windows, Internet Information
Server (IIS), Internet Explorer (IE), Outlook and Outlook Express will all be more secure, either in anticipation
of or as a result of new vulnerabilities being discovered.
--
This years AVAR conference in Korea was an excellent event and next years will
be hosted by Symantec in Sydney, Australia. My predictions would be very similar, we are seeing what we now call
'blended threats' more often and expect the complexity and efficiency to increase. Microsoft is making significant
headway in the reduction of vulnerabilities in Windows and associated software as are many other software vendors.
I think we'll see an increase in the number of threats targeting Linux, maybe one or two for OS X and if they come
down in cost, the emergence of real threats for wireless devices, We still haven't reached a price point which
makes these devices pervasive enough to be attractive to writers of malicious code, even though we are already
seeing potentially vulnerable devices with integrated PDA, wireless and mobile phone functionality.
Finally I'd like to thank all those who contributed to the Newsletter over the last year and for those of you celebrating
the holiday season, happy holidays and good wishes for the new year.
Best Regards
David Banes.
Editor, Symantec Security Response Newletter. |
|
|
Symantec DeepSight™ Analyzer
Become a part of the global early-warning system for cyber attacks, and in return, receive FREE access to Symantec
DeepSight Analyzer, a secure, personalized, Web-based incident console, which provides local incident tracking,
personalized incident reports, and the ability to generate attacker notification messages.
IT Professionals can join the community of over 16,000 users in over 180 countries who anonymously and automatically
submit suspicious network traffic and intrusion attempts to the Symantec Event Database. This information is used
to identify patterns in attacks that help serve as a threat-gauging system for the Internet community, and because
it's anonymous, protects your company identity at all times.
In return, Symantec DeepSight Analyzer gives IT professionals the ability to track and manage attacks on their
own network. Analyzer consolidates event data from seven different Intrusion Detection System (IDS) products and
seven different Firewall products, giving IT professionals a single, comprehensive view of threats against their
environment.
Key Features of Symantec DeepSight Analyzer:
Correlate attacks from a multitude of IDS and Firewall logs
Manage your logs via a secure, personalized Web-based console
View detailed information on related vulnerabilities
Schedule statistical reports
Track attacks to resolution
Notify offending networks of attacks
For more information on Symantec DeepSight Analyzer and a FREE download:
http://enterprisesecurity.symantec.com/products/products.cfm?productid=159&EID=0
|
|
Viruses, Worms & Trojans
|
| W32.Heovin@mm |
| Aliases:
W32.Holar.C@mm, W32/Holar.c@MM [McAfee], W32/Lagel.A [Panda], Win32.Holar.C [CA], WORM_HOLAR.C [Trend], I-Worm.Galil
[KAV] |
| Risk: Low |
|
|
| Date: 6th
December 2002 |
|
|
Platforms Affected
Windows 95
Windows 98
Windows NT
Windows 2000
Windows XP
Windows Me |
| |
Overview
W32.Heovin@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to
all contacts in Windows Address Book. It attempts to send a copy of itself to other mIRC users. It also has backdoor
capabilities that allows a hacker to remotely control an infected computer. The email message has the following
characteristics:
The subject line is one of the following,
Subject: Flash funny pic
or
Subject: Check This update
Message: Check dis out!
Attachment: Funnyflush.pif
This threat is written in the Microsoft Visual Basic programming language.
NOTE: Definitions dated earlier than December 9, 2002, may detect this threat as Bloodhound.W32.VBWORM. |
| |
|
|
|
Recommendations
Follow this link for removal instructions for W32.Heovin@mm;
http://www.sarc.com/avcenter/venc/data/w32.heovin@mm.html#removalinstructions |
| |
|
|
|
References
http://www.sarc.com/avcenter/venc/data/w32.heovin@mm.htm |
| Credit |
| By Yana Liu, Symantec Security Response, USA. |
| W32.Brid.B@mm |
|
|
| Aliases: |
| Risk:Low |
|
|
| Date: 18th
November 2002 |
|
|
Platforms Affected
Windows 95
Windows 98
Windows NT
Windows 2000
Windows XP
Windows Me |
| |
Overview
W32.Brid.B@mm is a variant of W32.Brid.A@mm. It is a mass-mailing worm that uses its own SMTP engine to send itself
to the email addresses that it finds in .htm and .dbx files. This variant also attempts to terminate the processes
of various antivirus and security programs. The email message has the following characteristics,
Subject: [Registered Windows company name]
Message:
Hello,
My name is donkey-virus.
I wish you a merry Christmas and happy new year.
Thank you.
Attachment: Readme.exe |
| |
|
|
|
Recommendations
Follow this link for removal instructions for W32.Brid.B@mm;
http://pub-cu.symantec.com/avcenter/venc/data/w32.brid.b@mm.html |
| |
Credit
Peter Szor, Symantec Security Response, USA |
References
http://pub-cu.symantec.com/avcenter/venc/data/w32.brid.b@mm.html |
|
|
|
Security
Advisories
|
| TCPDump / LIBPCap Trojan Horse Vulnerability |
| Risk:High |
| Date:13th
November 2002 |
Platforms Affected
Any Linux or FreeBSD applications using the components listed below. |
|
|
Components Affected
LBL libpcap 0.7.1
LBL tcpdump 3.6.2
LBL tcpdump 3.7.1 |
| |
| Description |
It has been announced that the server hosting tcpdump and libpcap, www.tcpdump.org, was
compromised recently. It has been reported that the intruder made modifications to the source code of tcpdump and
libpcap to include trojan horse code. Downloads of the source code of tcpdump and libpcap from www.tcpdump.org,
and numerous mirrors, likely contain the trojan code.
Reports say that the trojan will run once upon compilation of tcpdump or libpcap. Once the trojan is executed,
it attempts to connect to host 212.146.0.34 on port 1963.
The MD5 sums of the trojaned versions are reported to be:
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The MD5 sums of the non-trojaned versions are:
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
The non-trojaned versions of these tools are available at the following locations:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz
Additionally, the trojan displays similarity to those found in irssi, fragroute, fragrouter, BitchX, OpenSSH, and
Sendmail |
Recommendations
Block external access at the network boundary, unless service is required by external parties.
Filter untrusted network traffic at border routers and network firewalls.
Run all server processes as non-privileged users with minimal access rights.
Perform all tasks with the minimal privileges possible.
It has been recommended that users that require tcpdump or libpcap use either a known, good version of tcpdump
3.62, tcpdump 3.71 or libpcap 0.71.
LBL libpcap 0.7.1:
LBL tcpdump 3.6.2:
LBL tcpdump 3.7.1: |
References
Source: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan.
URL: http://hlug.fscker.com/ |
Credits
Discovery of this vulnerability credited to Russell Adams , Mathew Solnik , and Scott Stout . |
| |
| Lib CGI Include Buffer Overflow Vulnerability |
| Risk:High |
| Date:27th
November 2002 |
Components Affected
Lib CGI Lib CGI 0.1 |
| |
Description
Lib CGI is a freely available, open source CGI library for C programmers. It is available for Unix and Linux operating
systems.
It has been reported that a buffer overflow exists in the Lib CGI development library. Due to improper bounds checking
in an include file, programs making use of this include, or programs linked against libraries using this include
could be vulnerable to a remote buffer overflow attack. This could result in an attacker gaining remote access
with the privileges of the web server process. |
| |
Recommendations
Block external access at the network boundary, unless service is required by external parties.
The filtering of untrusted network traffic may limit unauthorized access to resources, as well as prevent connectivity
on arbitrary ports.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use network intrusion detection systems to identify attacks.
Run all server processes as non-privileged users with minimal access rights.
Do not execute server processes with elevated privileges.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware
of more recent information, please mail us at: vuldb@securityfocus.com .
Lib CGI Lib CGI 0.1: |
References
Source: Remote Frame Pointer Overwrite vulnerability in LIB CGI in Language C.
URL: msg://bugtraq/20021127070501.20954.qmail@hackermail.com |
Credits
Vulnerability discovery credited to "dong-h0un U" . |
| |
|
|
|
Security News
|
| Cyberterrorism and the Home User |
|
|
Introduction
Over the last several years there has been a consistent increase in the use of the word “cyberterrorism” in the
news. You’ve heard about cyberterrorism taskforces, and read about budgets for cyberterrorism defense. After the
atrocities of September 11th, 2001, the topic has very much come to the forefront, even though the average computer
user would be hard pressed to give a good definition of what cyberterrorism actually is. That’s not surprising,
as even many computer security professionals are somewhat confused over the issue too.
As part of Symantec’s ongoing security research we have been looking in detail at this area and exploring the impact
this issue is having on many different types of computer user. In this white paper, we will talk about what that
research shows and what that means to a home user. Finally, we will examine some steps that you can take to limit
the risk posed to your computer, not just by cybterterrorism but by hackers and virus writers as well.
What Is It?
When people discuss the threat posed by cyberterrorism, one of the biggest problems encountered is that there
are many different definitions of the term itself. If you ask ten people what cyberterrorism is, you are likely
to get many different descriptions. In all of these descriptions, however, there is a common thread: the computer
is firmly ensconced as the target of cyberterrorist attack.
While this way of looking at cyberterrorism is popular, there are several problems with it. The most important
is that the computer as target is only one facet of a much larger problem – the many faces of terrorism itself.
There are many defintions of terrorism. For instance, the United States Federal Bureau of Investigation (FBI) defines
terrorism as “The unlawful use of force or violence, committed by a group(s) of two or more individuals, against
persons or property, to intimidate or coerce a government, the civilian population, or any segment thereof, in
furtherance of political or social objectives”. The United States Department of Defense (DOD) defines terrorism
using a slightly broader brush, calling it “the unlawful use of, or threatened use, of force or violence against
individuals or property, to coerce and intimidate governments or societies, often to achieve political, religious
or ideological objectives”. The United
States Department of State (DOS) definition states that terrorism is “premeditated, politically motivated violence
perpetrated against noncombatant targets by sub national groups or clandestine agents”. Finally, the United Kingdom
Terrorism Act 2001 defines the use, or threat of use of political, religious, or idelogical causes with the intent
to influence a government or intimidate the public as terrorism – if the act involves serious violence, damage
to property, public health, etc.
These are just some of the definitions created by governments as part of an overall strategy to address terrorism,
and while they vary, in each case, the definition is functionally relatively close. These definitions not only
determine how the various countries and agencies view terrorism, they can be can used to derive the “elements”
of terrorism; that is, attributes which terrorist events have. These primary elements are: n People: Which individual,
local groups, are involved?
- Place: What locations are involved in the event?
- Method: What is the method used in the event?
- Tool: What tools, or items, are used to carry out the event?
- Target: What is the target of the event?
- Affiliation: How are group members affiliated (formally/informally)?
- Motivation: What is the objective of the event?
- Outcome. What are the desired, and actual, outcomes of the event?
Just about any terrorist event can be summed up using these eight different elements. But
this is just the beginning. Each element carries its own level of complexity. For example, “place” may include
where an event transpired, as well as where it was planned, or where funds were raised, etc. A “method” may include
not only things like creating fear, but activities like recruiting or generating propaganda. Finally, each of these
eight elements can be examined on many levels including the ideological, intellectual, and consequential.
Sound complicated? It is. As you might imagine, adding a computer into the mix complicates things even more. The
place for the computer in this list is far further reaching than simply as a “target”; thus, the next step in evaluating
the role of the computer in terrorism is to consider all of the possibilities that emerge when the computer is
added to each element.
For example, consider the first element, “people”. While a computer cannot (yet) act as the sole perpetrator of
a terrorist event, the computer can radically alter interpersonal interactions between people. Anonymization and
desensitization can make recruiting easier, and virtual identities can influence group dynamics. Additionally,
the Internet complicates the issues of national, subnational and international groupings.
The computer can aid the terrorist in many other ways as well. For example, covert channels can provide for messaging;
the web provides a powerful information gathering tool and arena for identity theft; individuals and groups are
no longer confined to meeting with like-minded individuals in their own countries… the possibilities are almost
endless. However, this raft of possibilities does not mean that we are helpless against the threat of
terrorism aided by computers. A great deal can be and is being done to reduce the risks that we are faced with.
As you can see, computers can play a huge role in any terrorist event, whether or not it takes place in the virtual
world. This realization forces us to change radically our assessment of cyberterrorism risks. Corporations are
treating computer security issues more seriously. The position of Chief Security Officer is becoming commonplace
within corporate America, and security companies like Symantec are continuing to produce the best products in the
world to help protect our computing infrastructure. And, home users are learning how they can help exercise diligence
in using – and protecting - their home computers..
How does this affect Me?
How does this affect you? The short answer is that it doesn’t, at least not much! The longer answer comes back
to the fact that the things that tend to protect your little patch of cyberspace from viruses, worms and hackers
are exactly the same things that you need to do to protect yourself from “cyberterrorism”, however you choose to
define it. As a reminder, those good computing practices are outlined below (see “What Can I do…”below).
We all need to take the threat of terrorism that involves computers seriously. Symantec is committed to this work,
and is working with both government and industry worldwide to help make the global computing infrastructure safe
and secure. So, while you may see articles talking about the dangers, most of these probably won’t impact you directly.
Perhaps one of the largest roles that you may play is reducing the risk of causing network outage unintentionally.
For example, there have been instances of “Distributed Denial of Service” (DDoS) attacks on the network. In such
an attack, the attacker gets lots of computers to overload one particular machine on the network. The attacker
does this by installing a “Trojan horse” on many machines, allowing him to launch his attack. You can play a role
in preventing this kind of attack by keeping your machine more secure.
What can I do to make my computer more secure?
There are three primary areas in which you should secure your home computer. First, you want to make sure that
the data on your machine is confidential. For example, you would not want someone looking through personal finances,
which many users keep on their machines. Second, you want to make sure that someone doesn’t change your data without
you knowing it. Lastly, you want to make sure that your computer does not lose data –that is, that your data is
available to you when you want it. These three facets of security, more properly known as “Confidentiality, Integrity,
Availability” form the basis for securing your machine.
For the home user, there are three primary ways that one or more of these pillars of security can be compromised:
viruses and worms, hackers, and “natural disasters” (like pouring a can of Jolt cola over your machine!). Fortunately,
there are simple and effective ways in which you can protect yourself from each of these threats.
For viruses and worms, use an anti-virus software package; by use, we mean install one and keep it up to date!
For users of Symantec’s Antivirus, that is pretty straightforward as the product can be configured to do this for
you automatically; if you use someone else’s product, consult your vendor. It’s hard not to overstress the importance
of this: it’s quick and easy and provides so much protection!
Hackers can be dealt with in a number of ways. First, if you’re a home user, don’t simply dial in to the Internet
without considering that in many instances, not only can you see other computers, but people on those other computers
can see you! Consider using a personal firewall (like Norton Personal Firewall), which blocks unauthorized access
to your machine. Make sure that you’re protected on all levels, by using integrated products like Norton Internet
Security. That way, when you go online, you know that not only are you doing your best to protect your data, you
are also helping prevent hackers from using your computer to attack someone else’s!
Finally, make sure that you backup your important files and data. This step is so often overlooked that it’s only
noticed after things have gone wrong when it is too late. Consider how much time and energy you have spent configuring
your computer and entering data into it. Isn’t that worth spending a few minutes protecting?
Conclusion
Although the issue of Cyberterrorism sounds daunting, it really does not change a great deal for the home user.
Being responsible in the way we use our computers is simply that: being responsible. If you take care of your machine,
this complex issue is very unlikely to affect your home computer use. Happy computing!
Sarah Gordon
Senior Research Fellow
Symantec Security Response
|
| |
|
| |
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support
emails please. Follow this link to subscribe or unsubscribe http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html Send virus samples to: avsubmit@symantec.com |
Disclaimer- THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL
PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics discussed as of the date of this document.
The information contained in this message is provided "as is" without warranty of any kind, either expressed
or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose,
and freedom from infringement. The user assumes the entire risk as to the accuracy and the use of this document.
This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Other brands and products
are trademarks of their respective holder(s). (c) Copyright 2002 Symantec Corporation. All rights reserved. Materials
may not be published in other documents without the express, written permission of Symantec Corporation. |
|